Has this ever happened to you?
You are a clinic manager in a healthcare practice. One day, you receive a phone from a healthcare provider in another clinic.
They have received a fax with patients’ health information from someone in your clinic. But the fax is not addressed to them – they received it in error.
Is this a mandatory notifiable privacy breach under Alberta’s new Health Information Act (HIA) regulations?
Part A: Circumstances Where Notification Is Required
There are 5 triggers under the Alberta Health Information Act (HIA) that require mandatory privacy breach notification to the Office of the Information and Privacy Commissioner (OIPC) and the Alberta Minister of Health and the individual(s) affected in the breach.
In this scenario, the receiving custodian accessed health information for an individual who was not his patient. Clearly, there is a reasonable basis to believe that the information has been accessed (read) by a person (section 8.1(1)(a) of the Health Information Regulation.)
However, the sending custodian had no reason to believe that the information would be misused.
Part B: Circumstances Where Notification Is Not Required
The sending custodian assessed the circumstances of the breach and concluded (as per section 8.1(1)(i) of the Health Information Regulation) that the receiving custodian:
- Accessed the health information in a manner consistent with his role as a health services provider and did not do it for an improper purpose.
- Is subject to confidentiality policies and procedures that meet the requirements of section 60 of the Act.
- Did not use or disclose the information beyond determining that he received it in error.
The sending custodian assessed that the risk is appropriately mitigated and this privacy breach incident did not trigger mandatory notification requirements.
Next Steps
The sending custodian must record the privacy breach in their business records. (I suggest that you use an internal privacy breach reporting form and spreadsheet. You can access these templates in the 4 Step Response Plan.) Remember to include your determination that you do not need to report this breach and the reasons that support your decision.
We know that faxes are a frequent source of privacy breach incidents. What can you do in your practice to reduce the risk of faxes in error?
Practice Management Nuggets Podcast
This topic is included in our Practice Management Nuggets podcast! Be sure to tune in to the podcast episode Fax Received in Error – Is this a Notifiable Privacy Breach? | Episode #067 .
My Favorite Takeaways From the Podcast
- Understand the mandatory privacy breach notification triggers and the circumstances where notification is not required.
- Record your privacy breaches – even the ones that do not trigger mandatory privacy breach notification.
- Review and improve your fax procedures. We know that this continues to be a frequent source of breaches. What can you do to better manage this known risk?
If you are a member of Practice Management Success, login here and view the webinar replay.